[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: [Full-Disclosure] [ GLSA 200408-16 ] glibc: Information leak with LD_DEBUG



When trying to do a match for glibc in /var/radmind/transcript on sixthday
it is rather hard to tell what version we have going.  I know the version
built on equilibrium is glibc-2.2.5 with -2.patch also there.

However when I did a grep on the command files I did find
multiuser-test.K:p lfs-glibc232.T
rdevine-sites-desktop-base.K:p lfs-glibc232.T

So they may have unaffected r11 or affected r10...

> > Affected packages
> > =================
> >
> >     -------------------------------------------------------------------
> >      Package         /      Vulnerable      /               Unaffected
> >     -------------------------------------------------------------------
> >   1  sys-libs/glibc        <= 2.3.2-r10                   >= 2.3.2-r11
> >   2  sys-libs/glibc      <= 2.3.3.20040420        >= 2.3.3.20040420-r1
> >   3  sys-libs/glibc      <= 2.3.3.20040420        >= 2.3.4.20040619-r1
> >   4  sys-libs/glibc      <= 2.3.4.20040619        >= 2.3.4.20040619-r1
> >   5  sys-libs/glibc        <= 2.3.2-r10                    Vulnerable!
> >   6  sys-libs/glibc      <= 2.3.4.20040605                 Vulnerable!
> >     -------------------------------------------------------------------
> >      # Package 1 only applies to ALPHA, ARM, HPPA, IA64 and SPARC
> >        users.
> >      # Package 2 only applies to x86 and PPC users.
> >      # Package 3 only applies to MIPS users.
> >      # Package 4 only applies to AMD64 users.
> >      # Package 5 only applies to S390 users.
> >      # Package 6 only applies to PPC64 users.
> >     -------------------------------------------------------------------
> >      NOTE: Certain packages are still vulnerable. Users should migrate
> >            to another package if one is available or wait for the
> >            existing packages to be marked stable by their
> >            architecture maintainers.
> >     -------------------------------------------------------------------
> >      6 affected packages; please see the notes above...
> >     -------------------------------------------------------------------
> >
> > Description
> > ===========
> >
> > Silvio Cesare discovered a potential information leak in glibc. It
> > allows LD_DEBUG on SUID binaries where it should not be allowed. This
> > has various security implications, which may be used to gain
> > confidentional information.
> >
> > Impact
> > ======
> >
> > An attacker can gain the list of symbols a SUID application uses and
> > their locations and can then use a trojaned library taking precendence
> > over those symbols to gain information or perform further exploitation.
> >
> > Workaround
> > ==========
> >
> > There is no known workaround at this time. All users are encouraged to
> > upgrade to the latest available version of glibc.
> >
> > Resolution
> > ==========
> >
> > All glibc users should upgrade to the latest version:
> >
> >     # emerge sync
> >
> >     # emerge -pv your_version
> >     # emerge your_version
> >
> > Availability
> > ============
> >
> > This GLSA and any updates to it are available for viewing at
> > the Gentoo Security Website:
> >
> >     http://security.gentoo.org/glsa/glsa-200408-16.xml
> >
> > Concerns?
> > =========
> >
> > Security is a primary focus of Gentoo Linux and ensuring the
> > confidentiality and security of our users machines is of utmost
> > importance to us. Any security concerns should be addressed to
> > security@xxxxxxxxxx or alternatively, you may file a bug at
> > http://bugs.gentoo.org.
> >
> > License
> > =======
> >
> > Copyright 2004 Gentoo Foundation, Inc; referenced text
> > belongs to its owner(s).
> >
> > The contents of this document are licensed under the
> > Creative Commons - Attribution / Share Alike license.
> >
> > http://creativecommons.org/licenses/by-sa/1.0
>
>
>
> !DSPAM:41220d9c71282703113143!
>